A new, expansive cybersecurity survey of nearly 4,300 IT and security executives, sponsored by Citrix and executed by researcher Ponemon, offers up three notable conclusions, two of which you might expect.

Organizations worldwide are concerned that the EU’s General Data Protection Regulations (GDPR), slated to go into effect in May, 2018, could cost them a lot of money and constrict their geographic sales reach.

Some also worry about the challenge of reducing the risk from new, unapproved apps and devices, admitting that they’re better at business continuity/disaster recovery (BCDR) and application performance management than ferreting out shadow IT.

Both data points, while interesting, are already a meaty part of ongoing security discussions. But then there’s the wild card:

Worrisome Generation?

Really? Millennials, the age group arguably holding the security aces to protect private documents, actually play loose and fast with the goods? In a way, yes. They’re the most likely (39 percent) to skirt security policies and use unapproved apps and devices at work, according to the data. Gen X workers aren’t innocent either – 32 percent take the route around the rules.

For their part, baby boomers are most victimized by phishing and social engineering scams (33 percent of respondents), and they tend not to know how to protect sensitive and confidential information (30 percent).

What’s the takeaway? Millennials and Gen Xers may know better but still take risks. Older staffers, by comparison, aren’t as well informed, for whatever reason. A dysfunctional organization could result from not everyone operating from the same security playbook, the study suggests.

The Big Question

Taken together, the documents attempt to answer this question: What’s holding up businesses from appropriately addressing security issues?

The initial entry covers risks posed by cyber crime, employee negligence and organizational dysfunction, and the technologies respondents believe are most effective at countering those risks. A second report investigates vulnerabilities from outdated and inefficient IT security technologies.

Data for all three reports is derived from the input of IT and IT security practitioners in Australia/New Zealand, Brazil, Canada, China, Germany, France, India, Japan, Korea, Mexico, the Netherlands, the United Arab Emirates, the U.K. and the U.S.

As the report’s title suggests, the top-down opinion is that businesses can be smarter to protect their most sensitive information—even as the prevalence and potency of threats increase. Chief among the recommendations are access to identity and access management tools and machine-learning technology to reduce security risks; more qualified staffing (and more of them); better technology; and, more funding within IT departments. With all due respect, all are at the top of the usual suspects list.

Other Key Takeaways

Here are some other data points from the third report:

GDPR compliance: While 67 percent of respondents are aware of GDPR, only about half have allocated budgets and started to prepare for the new regulations. Other major worries include the potential large fines for noncompliance and the impact on their business outside the EU.

Less than half of the organizations (48 percent) believe their security infrastructure can handle compliance and regulatory enforcement with a centralized approach to controlling, monitoring and reporting data.

Rogue apps/devices: Only one-third of organizations consider themselves effective in reducing the risk from an influx of new, unapproved apps and devices (33 percent). Respondents said their organizations are more effective in ensuring workforce continuity and ongoing business operations when disruptions and disasters occur (45 percent) and ensuring the availability and performance of traffic over any network connection and device (62 percent).